Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error msg exposes token in URL #851

Closed
jameshearttech opened this issue Dec 13, 2023 · 4 comments · Fixed by #852
Closed

Error msg exposes token in URL #851

jameshearttech opened this issue Dec 13, 2023 · 4 comments · Fixed by #852

Comments

@jameshearttech
Copy link

jameshearttech commented Dec 13, 2023
edited
Loading

Successful sync logs show token as REDACTED.

$ docker run -it registry.k8s.io/git-sync/git-sync:v4.1.0 --repo=$REPO_GOOD --root=/git --link=link
INFO: detected pid 1, running init handler
{"logger":"","ts":"2023-12-13 21:44:27.713992","caller":{"file":"main.go","line":523},"level":0,"msg":"starting up","pid":11,"uid":65533,"gid":65533,"home":"/tmp","flags":["--add-user=false","--change-permissions=0","--cookie-file=false","--credential=[]","--depth=1","--exechook-backoff=3s","--exechook-timeout=30s","--git=git","--git-gc=always","--group-write=false","--help=false","--http-metrics=false","--http-pprof=false","--link=link","--man=false","--max-failures=0","--max-sync-failures=0","--one-time=false","--period=10s","--ref=HEAD","--repo=https://x-token-auth:REDACTED@bitbucket.org/example/repo.git","--root=/git","--ssh=false","--ssh-key-file=[/etc/git-secret/ssh]","--ssh-known-hosts=true","--ssh-known-hosts-file=/etc/git-secret/known_hosts","--stale-worktree-timeout=0s","--submodules=recursive","--sync-timeout=2m0s","--timeout=0","--v=-1","--verbose=0","--version=false","--wait=0","--webhook-backoff=3s","--webhook-method=POST","--webhook-success-status=200","--webhook-timeout=1s"]}
{"logger":"","ts":"2023-12-13 21:44:27.735489","caller":{"file":"main.go","line":1079},"level":0,"msg":"repo directory was empty or failed checks","path":"/git"}
{"logger":"","ts":"2023-12-13 21:44:27.735741","caller":{"file":"main.go","line":1089},"level":0,"msg":"initializing repo directory","path":"/git"}
{"logger":"","ts":"2023-12-13 21:44:28.786089","caller":{"file":"main.go","line":1639},"level":0,"msg":"update required","ref":"HEAD","local":"","remote":"7ef4fc62732cde2e8d8248f8ea4bef01264e2fab","syncCount":0}
{"logger":"","ts":"2023-12-13 21:44:33.184934","caller":{"file":"main.go","line":1690},"level":0,"msg":"updated successfully","ref":"HEAD","remote":"7ef4fc62732cde2e8d8248f8ea4bef01264e2fab","syncCount":1}

Error exposes token (main.go:784).

$ docker run -it registry.k8s.io/git-sync/git-sync:v4.1.0 --repo=$REPO_BAD --root=/git --link=link
INFO: detected pid 1, running init handler
{"logger":"","ts":"2023-12-13 21:45:38.868352","caller":{"file":"main.go","line":523},"level":0,"msg":"starting up","pid":13,"uid":65533,"gid":65533,"home":"/tmp","flags":["--add-user=false","--change-permissions=0","--cookie-file=false","--credential=[]","--depth=1","--exechook-backoff=3s","--exechook-timeout=30s","--git=git","--git-gc=always","--group-write=false","--help=false","--http-metrics=false","--http-pprof=false","--link=link","--man=false","--max-failures=0","--max-sync-failures=0","--one-time=false","--period=10s","--ref=HEAD","--repo=https://x-token-auth:REDACTED@bitbucket.org/example/repo.git","--root=/git","--ssh=false","--ssh-key-file=[/etc/git-secret/ssh]","--ssh-known-hosts=true","--ssh-known-hosts-file=/etc/git-secret/known_hosts","--stale-worktree-timeout=0s","--submodules=recursive","--sync-timeout=2m0s","--timeout=0","--v=-1","--verbose=0","--version=false","--wait=0","--webhook-backoff=3s","--webhook-method=POST","--webhook-success-status=200","--webhook-timeout=1s"]}
{"logger":"","ts":"2023-12-13 21:45:38.880327","caller":{"file":"main.go","line":1079},"level":0,"msg":"repo directory was empty or failed checks","path":"/git"}
{"logger":"","ts":"2023-12-13 21:45:38.880423","caller":{"file":"main.go","line":1089},"level":0,"msg":"initializing repo directory","path":"/git"}
{"logger":"","ts":"2023-12-13 21:45:39.799373","caller":{"file":"main.go","line":784},"msg":"too many failures, aborting","error":"Run(git ls-remote -q https://x-token-auth:this-is-not-a-valid-token@bitbucket.org/example/repo.git HEAD HEAD^{}): exit status 128: { stdout: \"\", stderr: \"remote: Invalid credentials\\nfatal: Authentication failed for 'https://bitbucket.org/example/repo.git/'\" }","failCount":1}
@thockin
Copy link
Member

thockin commented Dec 13, 2023

Can you instead pass the token via the GITSYNC_PASSWORD env var or the --password-file? That's going to be safer, for sure. That said, there are other logs that emit the value of --repo, which need to redact, but it's not always clear that they need to (e.g. -v 5 emits all exec'ed commands).

If you run with -v 3 I think you'll see some.

@thockin thockin mentioned this issue Dec 14, 2023
Merged
@thockin
Copy link
Member

thockin commented Dec 14, 2023

#852

@thockin
Copy link
Member

thockin commented Dec 14, 2023

Try that?

@jameshearttech
Copy link
Author

@thockin I removed the username and password (i.e., token) from the repo URL. I specified the username x-token-auth using the --username parameter. I specified the password using the GITSYNC_PASSWORD env var. Thank you for the recommendation!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Try not to log credentials in repo URL thockin/git-sync
2 participants
@thockin @jameshearttech